b'           OFFICE OF\n    THE INSPECTOR GENERAL\n\nSOCIAL SECURITY ADMINISTRATION\n\n    ASSESSING THE APPLICATION\n         CONTROLS FOR THE\n SOCIAL SECURITY ADMINISTRATION\'S\n             INTEGRATED\n       DISABILITY MANAGEMENT\n               SYSTEM\n\n    March 2006     A-14-05-15064\n\n\n\n\n AUDIT REPORT\n\x0c                                    Mission\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xc2\x81 Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xc2\x81 Promote economy, effectiveness, and efficiency within the agency.\n  \xc2\x81 Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xc2\x81 Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xc2\x81 Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n  \xc2\x81 Independence to determine what reviews to perform.\n  \xc2\x81 Access to all information necessary for the reviews.\n  \xc2\x81 Authority to publish findings and recommendations based on the reviews.\n\n                                     Vision\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration\'s programs, operations, and management and in\nour own office.\n\x0c                                        SOCIAL SECURITY\nMEMORANDUM\n\nDate:   March 23, 2006                                                                        Refer To:\n\nTo:     The Commissioner\n\nFrom:   Inspector General\n\nSubject: Assessing the Application Controls for the Social Security Administration\xe2\x80\x99s Integrated\n        Disability Management System (A-14-05-15064)\n\n\n        OBJECTIVE\n        Our objective was to assess the application controls for the Social Security\n        Administration\xe2\x80\x99s (SSA) Integrated Disability Management System (IDMS). The audit\n        encompassed the three phases of the processing cycle (input, processing, and output)\n        to ensure disability-related transactions are valid, properly authorized, and completely\n        and accurately processed and reported.\n\n        BACKGROUND\n        SSA established the IDMS in 2002 as a central repository for disability information for all\n        Title II and Title XVI beneficiaries. Its purpose is to enhance management of post-\n        entitlement disability processing. This would include the medical continuing disability\n        review (CDR) process and meeting the requirements set forth in the Ticket to Work\n        legislation. 1 The IDMS provides online access to all disability-related information for a\n        beneficiary\xe2\x80\x99s or recipient\xe2\x80\x99s work and earnings, Ticket to Work status, and data regarding\n        pending and processed CDRs and expedited reinstatement actions. IDMS provides on-\n        line access and integrates the following disability-related databases and systems:\n        Disability Control File, Ticket Payment File, Earnings File, and the Employment Network\n        payment system. SSA controls on-line access to IDMS through the use of specialized\n        software.\n\n\n\n\n        1\n          Ticket to Work and Work Incentives Improvement Act of 1999, Pub. L. No. 106-170, 113 Stat. 1860.\n        (1999).\n\x0cPage 2 - The Commissioner\n\nAccess Control Software\n\nSSA uses eTrust\xc2\xae CA-Top Secret (Top Secret), a commercial access control software\npackage, to control employee access to IDMS and other production 2 mainframe\ncomputer resources. Top Secret protects computer resources by identifying authorized\nusers and controlling their access capability via individual personal identification\nnumbers (PIN). The PIN is assigned as many profiles as the employee needs to\nperform his or her job duties.\n\nOne of Top Secret\xe2\x80\x99s primary mechanisms for controlling user access is the access\nauthorization profile. Profiles contain sets of common access authorizations referred to\nas transaction identifications (ID) for groups of users. Access authorizations allow\nspecific data entry transactions and query capabilities for each computer screen.\n\nAnother mechanism for controlling access is via datasets. Datasets are groups of\nrelated electronic files containing data and/or programs. Dataset access can be granted\nto PINs or to profiles that permit the user to read, update, change, or delete the data or\nprograms stored in the files.\n\nWe identified 289 access authorization profiles assigned to 69,548 individuals with PINs\nproviding access to the IDMS application. Access authorization profiles are profiles that\nare reviewed, approved, and administered by SSA\xe2\x80\x99s Office of Systems Security\nOperations Management (OSSOM). These profiles are most applicable to operational\npositions, such as benefit authorizers, that are standard throughout SSA\xe2\x80\x99s field\nlocations.\n\nConcept of \xe2\x80\x9cLeast Privilege\xe2\x80\x9d\n\nSSA has incorporated the principle of \xe2\x80\x9cleast privilege\xe2\x80\x9d as a standard in its Information\nSystems Security Handbook (ISSH). In fact, the ISSH 3 states that controlling and\nlimiting access \xe2\x80\x9c\xe2\x80\xa6is the first line of defense in assuring the security, integrity and\navailability of the Agency\xe2\x80\x99s information systems and resources.\xe2\x80\x9d Least privilege is\ndefined as the practice of restricting a user\xe2\x80\x99s access to data files, processing\ncapabilities, or type of access (such as, read, write, execute, delete) to the minimum\nnecessary to perform his or her job.\n\nSince the 1997 audit of SSA financial statements, the related internal control report\ncontained a reportable condition related to information protection, which included the\nAgency\xe2\x80\x99s ability to effectively implement the concept of least privilege. During the 2005\naudit, SSA\xe2\x80\x99s financial statement audit contractor removed a reportable condition\n\n\n2\n Production mainframe computer resources consist of files and datasets, software applications, and\nprograms that operate in SSA\xe2\x80\x99s primary business operating environment.\n3\n    ISSH, Chapter 10, Systems Access Security, page 1 (September 2004).\n\x0cPage 3 - The Commissioner\n\nregarding security access authorizations. This decision was based on improved access\ncontrols for eleven applications critical to the financial statements. To resolve the\nreportable condition, SSA implemented (1) the Standardized Security Profile Project to\naddress programmer access issues, and (2) periodic reviews of Office of Operations\naccess authorizations based on least privilege. IDMS was not one of these critical\nsystems. However, SSA plans to expand its efforts to include non-critical systems in\nthe future. This report includes a review of not only programmer access, but also a full\nreview of access authorizations for all Agency components, including the Office of\nOperations.\n\nRESULTS OF REVIEW\n\nWe reviewed the significant input, processing, and output controls for the IDMS. While\nwe found many processing and output controls were strong and operating effectively,\nwe identified areas where input controls should be improved. We tested two areas of\ninput controls: input edits and system access. Our review determined that input edits\nwere effective, but system access needs to be strengthened.\n\nAccess Controls Need to be Strengthened\n\nWe found the following issues with access controls:\n\n   \xe2\x80\xa2   Excessive Access was Granted to IDMS Data via Transaction IDs.\n   \xe2\x80\xa2   Excessive Access to Production Datasets.\n   \xe2\x80\xa2   Process for Bypassing Edits Lacks Adequate Controls.\n\n                         Excessive access to IDMS data was granted via Top Secret\n  Excessive Access       transaction IDs. Specifically, transaction IDs were assigned to\n   was Granted to        Top Secret profiles that were not necessary for employees to\n    IDMS Data via        perform their job responsibilities; thereby, resulting in excessive\n   Transaction IDs       access. We found 84 of 289 IDMS Top Secret access\n                         authorization profiles were assigned to 23,136 individuals who\nwere granted excessive access to the IDMS application and data. SSA\xe2\x80\x99s policy of \xe2\x80\x9cleast\nprivilege\xe2\x80\x9d requires access be limited to the \xe2\x80\x9cminimum necessary\xe2\x80\x9d to perform one\xe2\x80\x99s job\nresponsibilities.\n\nThese access permissions allow (1) CDR establishment, (2) changes to medical data\nand diary dates, and (3) changes to bank account and routing numbers for payments to\nEmployment Network vendors. Additionally, this level of access could result in\nerroneous decisions regarding CDRs and Ticket to Work issues because of\ninappropriate changes to the data.\n\x0cPage 4 - The Commissioner\n\nAccording to the ISSH, 4 it is the responsibility of management to determine and approve\nthe access needs of their employees. Changes to employees\xe2\x80\x99 access are requested by\nmanagement via a profile access matrix, approved by the component security officer\n(CSO) and delivered to the OSSOM staff for final authorization.\n\nSecurity officers are responsible for the development, implementation, and\nmanagement of a security program within their organization. 5 Security officers also\nadminister the assignment of PINs, passwords and profiles to ensure employees have\naccess to only those system resources necessary to perform their assigned\nresponsibilities. 6 Some security officers need further guidance to (1) select and\nproperly assign appropriate transaction IDs to profiles, (2) adequately understand the\ncapabilities of the transaction IDs involved, and (3) adequately understand the job\nrequirements in their respective components for requesting appropriate access. For\nexample, in the Office of Hearings and Appeals (OHA) and the Office of the Chief\nActuary, security personnel inadvertently or unknowingly assigned transaction IDs that\nprovided the capability to update or modify data in IDMS, when query-only access was\nall that was needed.\n\nThe 84 profiles with excessive access belonged to 10 SSA components. After\ndiscussions with each of the CSOs, all agreed that access was excessive and eight\n(OHA, Office of Disability Operations, Office of Disability and Income Security\nPrograms, Office of Disability and Supplemental Security Income Systems, Office of\nInternational Operations, Office of Public Service and Operations Support, Office of\nQuality Assurance, and Office of Telecommunications and Systems Operations)\ninitiated appropriate profile changes during our audit. We believe excessive access was\ngranted because of the following reasons.\n\n      1. CSOs were not familiar enough with the IDMS application to properly\n         assign update or query-only access. Several security officers stated that\n         when they assigned access to the application, they allowed users to decide\n         access levels, or they simply copied profiles from other components. Other\n         CSOs stated they or their security staff simply did not have the in-depth\n         knowledge of the application area to be able to assign the appropriate access\n         levels.\n\n      2. Inadequate review of Top Secret profiles. OSSOM staff reviews and approves\n         all new or modified access authorization profiles before they are implemented.\n         During its profile reviews, OSSOM staff did not detect or prevent the erroneous\n         IDMS transaction IDs from being assigned.\n\n\n4\n    ISSH, Chapter 10, Systems Access Security, page 12 (September 2004).\n5\n    ISSH, Chapter 2, Security Officer Standards, page 1 (February 2001).\n6\n    ISSH, Chapter 2, Security Officer Standards, page 4 (February 2001).\n\x0cPage 5 - The Commissioner\n\n    3. Security officers did not always attend the Security Kickoff meetings. Two\n       CSOs did not attend these security meetings or send an alternate. Security\n       Kickoff meetings are held by CASB in conjunction with systems development\n       staff to provide detailed security information and answer questions regarding\n       security access to each application when either a new application is being\n       released or when there are significant changes to an application. If the\n       component will require access to the application, CSOs should be strongly\n       encouraged to either attend all Security Kickoff meetings, or send an alternate.\n\n    4. Thirty-eight of 57 IDMS transaction IDs in the Top Secret Resource List\n       were not clearly identified as having \xe2\x80\x9cupdate\xe2\x80\x9d or \xe2\x80\x9cquery-only\xe2\x80\x9d capability.\n       SSA should ensure clear labeling of transaction IDs identifying the type of access\n       they bear to help ensure excessive access is not erroneously granted.\n\n  Excessive Access We identified 14 programmers and analysts in the Office of\n                          Systems (OS) who had the \xe2\x80\x9cAll\xe2\x80\x9d access designation within the\n    to Production\n                          Top Secret security software to IDMS datasets. The \xe2\x80\x9cAll\xe2\x80\x9d access\n       Datasets\n                          designation allows users to create, delete and modify any of the\ndata contained within the datasets we reviewed. This level of access prevents SSA\nfrom ensuring the integrity of IDMS because data could be inadvertently or intentionally\nupdated, changed, or deleted by unauthorized individuals. By allowing programmers\nand analysts to have the "All" access designation, SSA is not conforming to Office of\nManagement and Budget (OMB) Circular No. A-130 Appendix III, Security of Federal\nAutomated Information Resources, 7 concept of least privilege or separation of duties.\nAs noted earlier, SSA has taken steps to remove programmer access to production\ndatasets for its critical systems, and plans to expand this process to other systems,\nincluding IDMS, in the future.\n\nSSA was unaware that these 14 programmers and analysts had update access. SSA\nwas unable to determine why this access occurred because this access had been in\nexistence for an indeterminate period of time. SSA should modify dataset access to be\n\xe2\x80\x9cread only\xe2\x80\x9d and instruct staff to use SSA\xe2\x80\x99s procedures for accessing production datasets\nvia the \xe2\x80\x9cSecond $UserID\xe2\x80\x9d 8 process.\n\nDuring the course of our audit, SSA began to modify the IDMS production dataset\naccess of these programmers and analysts to \xe2\x80\x9cread only\xe2\x80\x9d and implement the \xe2\x80\x9cSecond\n$UserID\xe2\x80\x9d process per our recommendation. SSA has not yet completed this process.\n\n\n\n7\n OMB Circular No. A-130, Appendix III, Security of Federal Automated Information Resources,\nsection B(a)(2)(c).\n8\n The Second $User ID procedure was developed to comply with the requirements of OMB Circular\nNo. A-130 by allowing application programmers temporary update access privileges to address system\nanomalies.\n\x0cPage 6 - The Commissioner\n\n                       SSA\xe2\x80\x99s Office of Employment Support Programs (OESP)\n      Process for\n                       processes payments to the Employment Network vendors under\n    Bypassing Edits\n                       the Ticket to Work program via the IDMS. The IDMS permits\n    Lacks Adequate     authorized users to process payments that meet certain\n       Controls        requirements as determined by Agency policy. However, if one\nof the requirements is not met, IDMS will display a ticket payment edit when the user\nattempts to input the data to the system. The presence of an edit message also\nprevents further processing until the condition that created the edit message is rectified.\nFor example, IDMS normally will display an edit message and prevent further payment\nprocessing when an employer was already paid for the timeframe requested or when\nbenefit payments have been suspended to the beneficiary or recipient for medical\nreasons.\n\nAs part of its July 2005 software release, by request of the business owner, OS\nprogrammed the capability for some Ticket payment edits to be bypassed.\nConsequently, IDMS will now permit users whose PINs are listed in a particular dataset\nto bypass three Ticket payment edits and allow further processing of payment requests\nto Employment Network vendors under the following conditions:\n\n     \xe2\x80\xa2   A Ticket payment request for a terminated Ticket.\n     \xe2\x80\xa2   A Ticket payment for a milestone claim for a beneficiary who is not in current\n         payment status.\n     \xe2\x80\xa2   A Ticket payment for an outcome claim for a beneficiary who is still receiving\n         benefits.\n\nOESP staff sometimes has a legitimate business need to bypass these edits, such as\nwhen data on the IDMS database is incorrect. As of September 8, 2005, six individuals\nin OESP had the ability to bypass these three edits, and only five were in need of this\nability. 9 However, the dataset that controls who has the ability to bypass these edits\ncan be updated, changed, or modified at any time by seven individuals in OS.\nChanges, updates, and modifications to this file are not captured, monitored, or tracked\nthrough an audit trail. As a result, inappropriate individuals could be added to the file\nand have the ability to bypass these edits. This level of access prevents SSA from\nensuring that erroneous, inaccurate or improper payments to Employment Network\nvendors are not made. This occurred because SSA did not design the application with\nthe capability to make corrections or perform overrides.\n\nWhile we understand the need for certain edits to be bypassed to process transactions\ncorrectly, we believe SSA can mitigate the risks by implementing compensating\ncontrols. To improve controls, SSA should remove \xe2\x80\x9cAll\xe2\x80\x9d access to this dataset and\ninstruct staff to use SSA\xe2\x80\x99s procedures for accessing production datasets via the\n\n\n9\n  We discovered that the sixth individual no longer worked for the component and consequently, no\nlonger needed access. SSA removed his access on September 14, 2005.\n\x0cPage 7 - The Commissioner\n\n\xe2\x80\x9cSecond $UserID\xe2\x80\x9d process. If cost effective, SSA should modify the IDMS software to\nachieve this functionality rather than modifying input controls using dataset access.\n\nDuring the course of our audit, SSA has begun to modify the dataset access of these\nprogrammers and analysts to \xe2\x80\x9cread only\xe2\x80\x9d and implement the \xe2\x80\x9cSecond $UserID\xe2\x80\x9d process\nper our recommendation. SSA has not yet completed this process.\n\nCONCLUSION AND RECOMMENDATIONS\nSSA needs to strengthen security access controls for the profiles that have excessive\naccess. Excessive access could result in erroneous decisions regarding CDRs and\nTicket to Work issues; erroneous, inaccurate or improper payments to Employment\nNetwork vendors; and the loss of data. To establish proper security controls and\neffectively implement the policy of least privilege, SSA needs to restrict authorized\nemployee access to that which is needed to perform assigned duties. SSA also needs\nto improve security officers\xe2\x80\x99 monitoring and oversight in the granting of access\nthroughout SSA.\n\nWe recommend SSA:\n\n1. Remove excessive or inappropriate transaction IDs from those profiles identified as\n   having excessive access.\n\n2. Enforce the policy of least privilege by following existing policy and conducting more\n   thorough reviews of security access matrices.\n\n3. Strongly encourage CSOs (or their alternates) to attend those IDMS Security Kickoff\n   meetings when access will be requested.\n\n4. Ensure the labeling of IDMS transaction IDs in the Top Secret Resource List clearly\n   identifies the type of access they bear, whether \xe2\x80\x9cupdate\xe2\x80\x9d or \xe2\x80\x9cquery-only.\xe2\x80\x9d\n\n5. Continue to ensure that programmer access to production datasets is controlled via\n   the \xe2\x80\x9cSecond $UserID\xe2\x80\x9d process.\n\n6. If cost effective, SSA should modify the IDMS software to allow for ticket corrections,\n   so that edits no longer need to be bypassed.\n\x0cPage 8 - The Commissioner\n\nAGENCY COMMENTS\n\nSSA agreed with our recommendations. See Appendix D for the full text of the\nAgency\xe2\x80\x99s comments.\n\n\n\n\n                                             S\n                                             Patrick P. O\xe2\x80\x99Carroll, Jr.\n\x0c                                     Appendices\nAPPENDIX A \xe2\x80\x93 Acronyms\n\nAPPENDIX B \xe2\x80\x93 Background\n\nAPPENDIX C \xe2\x80\x93 Scope and Methodology\n\nAPPENDIX D \xe2\x80\x93 Agency Comments\n\nAPPENDIX E \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\x0c                                                       Appendix A\n\nAcronyms\nCASB    Control Audit, and Security Branch\nCDR     Continuing Disability Review\nCSO     Component Security Officer\nID      Identification\nIDMS    Integrated Disability Management System\nISSH    Information Systems Security Handbook\nOESP    Office of Employment Support Programs\nOHA     Office of Hearings and Appeals\nOMB     Office of Management and Budget\nOS      Office of Systems\nOSSOM   Office of Systems Security Operations Management\nPIN     Personal identification number\nSSA     Social Security Administration\n\x0c                                                                        Appendix B\n\nBackground\nThe online portion of the Integrated Disability Management System (IDMS) consists of\n57 unique online screens on which users can establish a continuing disability review\n(CDR), input CDR decisions, update medical and diary information, add or delete Ticket\nassignments, initiate Ticket payments to Employment Network vendors, and change\nEmployment Network information, including bank routing numbers for vendors. The\nIDMS contains data about disabled Title II beneficiaries and Title XVI recipients. IDMS\nserves as a data repository for all disabled individuals receiving benefits or working\nunder the Ticket to Work incentives.\n\nThe IDMS is used in over 1,300 field offices nationwide, as well as Program Service\nCenters, Regional Offices, Teleservice Centers, Offices of Hearings and Appeals, and\nvarious Headquarters components, such as the Office of Disability and Income Security\nPrograms, Office of Quality Assurance, and Office of the Chief Actuary. Thousands of\nSSA employees have some level of access to the IDMS\xe2\x80\x94ranging from the ability to\nquery very limited IDMS information to the capability for establishing and updating a full\nrange of disability and employment data.\n\nConcept of \xe2\x80\x9cLeast Privilege\xe2\x80\x9d\n\nThe Office of Management and Budget (OMB) Circular No. A-130, Management of\nFederal Information Resources, requires that agencies: (1) maintain and protect\nindividuals\xe2\x80\x99 identifiable information and proprietary information in a manner that\nprecludes unwarranted intrusion upon personal privacy and violation of confidentiality;\n(2) ensure agency personnel are trained to safeguard information resources;\n(3) establish a level of security for all agency information systems commensurate with\nthe sensitivity of the information and the risk and magnitude of loss or harm that could\nresult from improper operation of the information system; and (4) ensure that only\nauthorized personnel have access to information systems.\n\nOMB Circular No. A-130 also requires that agencies incorporate personnel controls,\nsuch as separation of duties, least privilege, and individual accountability to ensure that\nadequate security is provided for an agency\xe2\x80\x99s major applications. Least privilege is\ndefined as the practice of restricting a user\xe2\x80\x99s access to data files, processing\ncapabilities, or type of access (such as, read, write, execute, delete) to the minimum\nnecessary to perform his or her job. SSA has incorporated this principle as a standard\nin its Information Systems Security Handbook (ISSH).\n\nSSA\xe2\x80\x99s Office of Systems Security Operations Management (OSSOM) staff, along with a\nnetwork of regional and Central Office component security officers (CSOs), have overall\nresponsibility to interpret, develop, and implement security policy. CSOs develop,\n\n                                            B-1\n\x0cimplement, and manage the overall security program within their organizations,\nspecifically administration of access controls. According to the ISSH, 1 OSSOM staff\nprovides guidance and advises security officers in matters involving SSA\xe2\x80\x99s security\nprogram, establishes systems security policies and procedures, and administers the\nprofile access authorization matrices.\n\nSSA management has the overall responsibility to determine and approve the access\nneeds of SSA employees. As part of this responsibility, management requests changes\nto employee access via the profile access authorization matrix to accommodate new\ndevelopments or changes in circumstances. Changes to the profile access\nauthorization matrices are reviewed and approved by the CSO and delivered to the\nOSSOM staff for final authorization. The types of profile changes that CSOs may\nrequest are:\n\n      \xe2\x80\xa2   establishing a new profile for an employee position;\n\n      \xe2\x80\xa2   adding a newly developed transaction identification (ID) to the profile access\n          matrix;\n\n      \xe2\x80\xa2   modifying an existing profile to add or remove a transaction ID; and\n\n      \xe2\x80\xa2   deleting an existing profile.\n\n\nSSA\xe2\x80\x99s Office of Systems\xe2\x80\x99 Control Audit, and Security Branch (CASB) makes\nrecommendations on security, audit, and internal control issues for all SSA\nprogrammatic systems, including IDMS, ensures security standards are implemented,\nand leads reviews of programmatic processes and systems to identify security\nweaknesses. CASB validates and verifies matrices to ensure the requested access\nmatches the access that is granted.\n\n\n\n\n1\n    ISSH, Chapter 10, Systems Access Security, page 2 (September 2004).\n\n                                                  B-2\n\x0c                                                                     Appendix C\n\nScope and Methodology\nTo accomplish our objectives, we:\n\n\xe2\x80\xa2   Reviewed the applicable laws and Social Security Administration (SSA) regulations,\n    rules, policies, and procedures.\n\n\xe2\x80\xa2   Reviewed 289 Top Secret access authorization profiles for the granting of access to\n    the Integrated Disability Management System (IDMS). This included reviews of the\n    Ticket to Work and Continuing Disability Review application profiles.\n\n\xe2\x80\xa2   Reviewed access to IDMS datasets and identified all PINs and profiles having\n    excessive access.\n\n\xe2\x80\xa2   Reviewed the names for 57 transactions IDs listed in the Top Secret Resource List\n    for the CDR and Ticket to Work applications.\n\n\xe2\x80\xa2   Interviewed SSA personnel in Headquarters components, including:\n\n       \xe2\x88\x92   Office of the Chief Actuary,\n       \xe2\x88\x92   Office of Disability and Income Security Programs,\n       \xe2\x88\x92   Office of Finance, Assessment and Management,\n       \xe2\x88\x92   Office of Operations,\n       \xe2\x88\x92   Office of Policy, and\n       \xe2\x88\x92   Office of Systems.\n\n\xe2\x80\xa2   Interviewed field office and program service center employees in Towson and\n    Woodlawn, Maryland to ascertain user satisfaction and identify ongoing problems\n    with the IDMS.\n\n\xe2\x80\xa2   Reviewed SSA\xe2\x80\x99s process for resolving, tracking, and monitoring the IDMS alerts in\n    field offices.\n\nOnline Testing Environment\n\nWe tested 179 IDMS controls through online testing techniques. These techniques\nconsisted of entering test transactions into a computer environment especially designed\nfor audit testing purposes. The test system, created by SSA in June 2005, was\nseparate and distinct from SSA\xe2\x80\x99s production mainframe system and was located on an\nisolated mainframe within SSA that had partial copies of production software and data.\nWe conducted our testing between June 21 and August 4, 2005.\n\n\n                                           C-1\n\x0cWe developed our online tests based on established controls that were intended to be\nprogrammed in the system according to the system\xe2\x80\x99s detailed functional requirements,\nas well as on programmed controls that should exist to ensure actual results are\nachieved in accordance with overall SSA policy.\n\nWe performed our audit at Headquarters in Woodlawn, Maryland, and field locations\nlisted above between April and October 2005. We conducted our audit in accordance\nwith generally accepted government auditing standards.\n\n\n\n\n                                         C-2\n\x0c                  Appendix D\n\nAgency Comments\n\x0c                                         SOCIAL SECURITY\n\nMEMORANDUM\n\n\nDate:      March 9, 2006                                                         Refer To: S1J-3\n\nTo:        Patrick P. O\'Carroll, Jr.\n           Inspector General\n\nFrom:      Larry W. Dye /s/\n           Chief of Staff\n\nSubject:   Office of the Inspector General (OIG) Draft Report, "Assessing the Application Controls for the\n           Social Security Administration\'s Integrated Disability Management System" (A-14-05-15064) \xe2\x80\x93\n           INFORMATION\n\n\n           We appreciate OIG\xe2\x80\x99s efforts in conducting this review. Our comments on the draft report content\n           and recommendations are attached.\n\n           Let me know if we can be of further assistance. Staff inquiries may be directed to Candace\n           Skurnik, Director, Audit Management and Liaison Staff on extension 54636.\n\n           Attachment:\n           SSA Response\n\n\n\n\n                                                         D-1\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL (OIG) DRAFT\nREPORT, "ASSESSING THE CONTROLS FOR THE SOCIAL SECURITY\nADMINISTRATION\'S INTEGRATED DISABILITY MANAGEMENT SYSTEM\n(IDMS)" (A-14-05-15064) -- INFORMATION\n\nThank you for the opportunity to review and comment on the draft report. We appreciate the\ncomprehensive analysis demonstrated in this audit and take no issue with the findings. SSA takes\nvery seriously our security responsibilities. We appreciate that the report makes note that\ncomponents initiated appropriate profile changes during the course of the audit. In an effort to\nensure compliance with the principle of "Least Privilege," we have initiatives underway to\nrestructure the components\' security profiles.\n\nOur specific responses to the report\'s recommendations are provided below.\n\nRecommendation 1\n\nRemove excessive or inappropriate transaction IDs from those profiles identified as having\nexcessive access.\n\nResponse:\n\nWe agree. To that end, several initiatives have been completed or are underway. For example, a\nrevised matrix was submitted by the Deputy Commissioner for Operations (DCO) to correct the\nDCO profiles identified during the course of the audit. The Office of Systems Security\nOperations Management (OSSOM) continues to work with the Deputy Commissioner for\nDisability and Income Security Program\'s (DCDISP) Security Officer to ensure that the Ticket to\nWork program is adequately secured, including restricting user access in conformance to the\ncontract and the principles of "need to know" and "least privilege."\n\nRecommendation 2\n\nEnforce the policy of least privilege by following existing policy and conducting more thorough\nreviews of security access matrices.\n\nResponse:\n\nWe agree. As noted in the report, Agency policy restricts user access to SSA information\nsystems based on the principles of \xe2\x80\x9cneed to know\xe2\x80\x9d and \xe2\x80\x9cleast privilege.\xe2\x80\x9d To ensure compliance\nwith Agency policy, OSSOM under the direction from the Chief Information Officer instructed\nmanagers working in concert with their component security officer (CSO) to review employee\naccess to SSA systems at least once every three years, as well as when there is a change in\nemployee job function or a change to a given application. This review will take place this fiscal\nyear as a part of the Federal Information Security Management Act of 2002 compliance.\n\n\n\n\n                                               D-2\n\x0cRecommendation 3\n\nStrongly encourage Component Security Officers (CSOs), or their alternates, to attend those\nIDMS Security Kickoff meetings when access will be requested.\n\nResponse:\n\nWe agree. Consistent with Agency policy, CSOs and their alternates are expected to be\nentrenched in the life cycle development of Agency projects and applications, including\nparticipating in security kickoff meetings as discussed in the "Information Security Handbook"\nand echoed in the "Project Resource Guide" and the revised "Component Security Officer"\nguide.\n\nRecommendation 4\n\nEnsure the labeling of IDMS transaction IDs in the Top Secret Resource List clearly identifies\nthe type of access they bear, whether \xe2\x80\x9cupdate\xe2\x80\x9d or \xe2\x80\x9cquery-only.\xe2\x80\x9d\n\nResponse:\n\nWe agree. The Top Secret Resource List will be updated through our efforts to implement\nrecommendations 1 and 2.\n\nRecommendation 5\n\nContinue to ensure that programmer access to production datasets is controlled via the \xe2\x80\x9cSecond\n$UserID\xe2\x80\x9d process.\n\nResponse:\n\nWe agree. The Office of Systems scrutinized the batch profiles with remaining programmer\naccess to production datasets. The "ALL" access has been removed from Primary $UserIDs and\nhas been added to Second $UserIDs for a limited number of programmers.\n\nRecommendation 6\n\nIf cost effective, SSA should modify the IDMS software to allow for ticket corrections so that\nedits no longer need to be bypassed.\n\nResponse:\n\nWe agree. The Office of Systems has updated, at DCDISP\'s request, the enhanced payment file\nthat over-rides certain Employment Network (EN) Payment edits to limit access to designated\nOffice of Employment Support Programs (OESP) users. The OESP Ticket/Disability Control\nFile Program Advisor verifies the appropriateness of access for those persons who continue to\nhave that access. Ticket to Work payment functionality has been improved significantly over the\n\n\n                                               D-3\n\x0clast calendar year. However, some cases remain that must be handled manually by OESP\nbecause of previous system limitations. The Agency will continue to work to improve processes\nin order to limit the need for this access. At the present time, the Information Technology\nAdvisory Board (ITAB) has determined that it would not be cost effective to make significant\nchanges to the EN Payment automation process. However, we are planning for an\nimplementation to enhance EN Payments in Fiscal Year 2007. This will provide an opportunity\nto revisit the access issues presented in this recommendation.\n\n\n\n\n                                             D-4\n\x0c                                                                      Appendix E\n\nOIG Contacts and Staff Acknowledgments\nOIG Contacts\n\n   Kitt Winter, Director, Data Analysis and Technology Audits Division, (410) 965-9702\n\n   Albert Darago, Audit Manager, Application Controls Branch (410) 965-9710\n\nAcknowledgments\n\nIn addition to those named above:\n\n   Anita McMillan, Auditor-in-Charge\n\n   Greg Thompson, Senior Auditor\n\n   Ron Anderson, Auditor\n\n   Cheryl Robinson, Writer/Editor\n\nFor additional copies of this report, please visit our web site at\nwww.socialsecurity.gov/oig or contact the Office of the Inspector General\xe2\x80\x99s Public\nAffairs Specialist at (410) 965-3218. Refer to Common Identification Number\nA-14-05-15064.\n\x0c                             DISTRIBUTION SCHEDULE\n\nCommissioner of Social Security\nOffice of Management and Budget, Income Maintenance Branch\nChairman and Ranking Member, Committee on Ways and Means\nChief of Staff, Committee on Ways and Means\nChairman and Ranking Minority Member, Subcommittee on Social Security\nMajority and Minority Staff Director, Subcommittee on Social Security\nChairman and Ranking Minority Member, Subcommittee on Human Resources\nChairman and Ranking Minority Member, Committee on Budget, House of\nRepresentatives\nChairman and Ranking Minority Member, Committee on Government Reform and\nOversight\nChairman and Ranking Minority Member, Committee on Governmental Affairs\nChairman and Ranking Minority Member, Committee on Appropriations, House of\nRepresentatives\nChairman and Ranking Minority, Subcommittee on Labor, Health and Human Services,\nEducation and Related Agencies, Committee on Appropriations,\n House of Representatives\nChairman and Ranking Minority Member, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Subcommittee on Labor, Health and Human\nServices, Education and Related Agencies, Committee on Appropriations, U.S. Senate\nChairman and Ranking Minority Member, Committee on Finance\nChairman and Ranking Minority Member, Subcommittee on Social Security and Family\nPolicy\nChairman and Ranking Minority Member, Senate Special Committee on Aging\nSocial Security Advisory Board\n\x0c               Overview of the Office of the Inspector General\nThe Office of the Inspector General (OIG) is comprised of our Office of Investigations (OI),\nOffice of Audit (OA), Office of the Chief Counsel to the Inspector General (OCCIG), and Office\nof Resource Management (ORM). To ensure compliance with policies and procedures, internal\ncontrols, and professional standards, we also have a comprehensive Professional Responsibility\nand Quality Assurance program.\n                                        Office of Audit\nOA conducts and/or supervises financial and performance audits of the Social Security\nAdministration\xe2\x80\x99s (SSA) programs and operations and makes recommendations to ensure\nprogram objectives are achieved effectively and efficiently. Financial audits assess whether\nSSA\xe2\x80\x99s financial statements fairly present SSA\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s programs\nand operations. OA also conducts short-term management and program evaluations and projects\non issues of concern to SSA, Congress, and the general public.\n\n\n                                    Office of Investigations\nOI conducts and coordinates investigative activity related to fraud, waste, abuse, and\nmismanagement in SSA programs and operations. This includes wrongdoing by applicants,\nbeneficiaries, contractors, third parties, or SSA employees performing their official duties. This\noffice serves as OIG liaison to the Department of Justice on all matters relating to the\ninvestigations of SSA programs and personnel. OI also conducts joint investigations with other\nFederal, State, and local law enforcement agencies.\n\n\n                  Office of the Chief Counsel to the Inspector General\nOCCIG provides independent legal advice and counsel to the IG on various matters, including\nstatutes, regulations, legislation, and policy directives. OCCIG also advises the IG on\ninvestigative procedures and techniques, as well as on legal implications and conclusions to be\ndrawn from audit and investigative material. Finally, OCCIG administers the Civil Monetary\nPenalty program.\n                              Office of Resource Management\nORM supports OIG by providing information resource management and systems security. ORM\nalso coordinates OIG\xe2\x80\x99s budget, procurement, telecommunications, facilities, and human\nresources. In addition, ORM is the focal point for OIG\xe2\x80\x99s strategic planning function and the\ndevelopment and implementation of performance measures required by the Government\nPerformance and Results Act of 1993.\n\x0c'